Posted by
michael
on Sat Aug 07, '04 03:01 AMfrom the the-goggles,-they-do-nothing dept.
An anonymous reader writes "While
there's been a few postings on events happening at DefCon 12, one event
seems to have been overlooked. A new wireless packet injection tool was
quietly released (unleashed?) during DefCon: AirPwn. Here's a write-up of the tool as deployed by its author and crew at DefCon 12."

figure you'd see a regular HTTP response packet that fits your TCP
sequence numbers quite nicely, and a RST afterwards because the numbers
got messed up as the faked response didn't have the same length as the
real server response. Perhaps they hold down the server by injecting
RST packets, too, like juggernauts TCP stream capturing mode did...

At Defcon 12 this year my cow-orkers and I brought along a little piece
of code called "airpwn." Airpwn is a platform for injection of
application layer data on an 802.11b network. Although the potential
for evil is very high with this tool, we decided to demonstrate it (and
give it its first real field trial) on something nasty, but harmless
(compared to say, wiping your hard-drive)
Over the course of defcon, we fielded 7 different airpwn configurations
to see how well it worked, and of course to watch as 31337 h4x0rz got
goatse up in their mug. The configurations were: * HTTP goatse, 100% of
the screen * HTTP goatse replacing all images * HTTP goatse as the page
background via CSS * HTTP tubgirl replacing all images * HTTP "owned"
graphic, replacing all images (eventually I felt bad about all the ass
pictures) * HTTP javascript alert boxes, letting people know just how
pwned they were * FTP banners (while this worked, nobody pays attention
to FTP banners so we abandoned this quickly)
How does it work?
airpwn requires two 802.11b interfaces, one for listening, and another
for injecting. It uses a config file with multiple config sections to
respond to specific data packets with arbitrary content. For example,
in the HTML goatse example, we look for any TCP data packets starting
with "GET" or "POST" and respond with a valid server response including
a reference to the canonical goatse image. Here's the configuration
file used for this mode: begin goatse_html match ^(GET|POST) ignore
^GET [^ ?]+\.(jpg|jpeg|gif|png|tif|tiff) response content/goatse_html
and here is the content that we return when the match is triggered:
HTTP/1.1 200 OK Connection: close Content-Type: text/html pwnedOPEN
YOUR MIND -- TO THE ANUS!!
Each of the 7 modes mentioned previously varied in the configuration
and content returned. In each case the poor user of the web browser was
left feeling disgusted, afraid and/or confused. While I was busy
operating airpwn at the laptop, my accomplices wandered the show-floor
taking pictures and the occasional video of our victims. Links to our
victims are at the top of the page.
In all honesty, the reaction to airpwn wasn't exactly what I had
expected. When I was writing the code, I imagined that the second I
turned airpwn on we'd hear immediate groans of disgust radiating out at
the speed of light. In practice, airpwn's effect was simultaneously
more private, and more full of personal drama. First off, the
full-screen goatse seemed to be too powerful. The second it flashed on
the screen, the savvy user would have the browser closed already. This
made it incredibly difficult to actually catch the victims on film.
Based on the logs generated by airpwn we would be hitting multiple
people per second, but finding someone with goatse up on their screen
was still a bit of a challenege.. Once we did find a victim, the
results were pretty hillarious.. I had tears rolling down my cheeks on
multiple occasions. The typical goatse reaction went something like
this: * Open browser, see goatse, jump backwards a little * quickly
close browser, take a breath * open browser, see goatse, close browser
(faster this time) * scratch head, quit browser process, re-launch
browser * see page indicating that goatse will load soon (page header,
etc.) immediately close browser. * open up browser preferences, click
all the tabs, look for the "no goatse" checkbox * clear the browser
cache * open browser, see goatse, close browser * open network
preferences, click on all the tabs, look for the "no goatse" checkbox.
* disconnect from network, re-associate * open browser, see goatse,
close browser
At this point, the less l33t people would generally give up and either
1) do something else or 2) look deep into goatse's anus with a 10-yard
stare.. The more l33t victims would launch ethereal and try to figure
out what was going on.. Eventually they would mumble something about
"rogue APs" (WRONG!) or ARP poisoning (WRONG!) or D

I was a victim of this at defcon, but since I was using lynx, I really
didn't see any of the images mentioned. Actually, most of the surfing I
did at defcon was using links or w3m over ssh (on a home box).

Images from Dave's cameraMovies from Dave's cameraImages from my phoneAt
Defcon 12 this year my cow-orkers and I brought along a little piece of
code called "airpwn." Airpwn is a platform for injection of application
layer data on an 802.11b network. Although the potential for evil is
very high with this tool, we decided to demonstrate it (and give it its
first real field trial) on something nasty, but harmless (compared to
say, wiping your hard-drive)

Over the course of defcon, we
fielded 7 different airpwn configurations to see how well it worked,
and of course to watch as 31337 h4x0rz got goatse up in their mug. The
configurations were:

HTTP goatse, 100% of the screenHTTP goatse replacing all imagesHTTP goatse as the page background via CSSHTTP tubgirl replacing all imagesHTTP "owned" graphic, replacing all images (eventually I felt bad about all the ass pictures)HTTP javascript alert boxes, letting people know just how pwned they wereFTP banners (while this worked, nobody pays attention to FTP banners so we abandoned this quickly)

How does it work?

airpwn
requires two 802.11b interfaces, one for listening, and another for
injecting. It uses a config file with multiple config sections to
respond to specific data packets with arbitrary content. For example,
in the HTML goatse example, we look for any TCP data packets starting
with "GET" or "POST" and respond with a valid server response including
a reference to the canonical goatse image. Here's the configuration
file used for this mode:

and here is the content that we return when the match is triggered:
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html

pwnedOPEN YOUR MIND -- TO
THE ANUS!!

Each
of the 7 modes mentioned previously varied in the configuration and
content returned. In each case the poor user of the web browser was
left feeling disgusted, afraid and/or confused. While I was busy
operating airpwn at the laptop, my accomplices wandered the show-floor
taking pictures and the occasional video of our victims. Links to our
victims are at the top of the page.In all honesty, the reaction to
airpwn wasn't exactly what I had expected. When I was writing the code,
I imagined that the second I turned airpwn on we'd hear immediate
groans of disgust radiating out at the speed of light. In practice,
airpwn's effect was simultaneously more private, and more full of
personal drama. First off, the full-screen goatse seemed to be too
powerful . The second it flashed on the screen, the savvy user would
have the browser closed already. This made it incredibly difficult to
actually catch the victims on film. Based on the logs generated by
airpwn we would be hitting multiple people per second, but finding
someone with goatse up on their screen was still a bit of a
challenege.. Once we did find a victim, the results were pretty
hillarious.. I had tears rolling down my cheeks on multiple occasions.
The typical goatse reaction went something like this:

Open browser, see goatse, jump backwards a littlequickly close browser, take a breathopen browser, see goatse, close browser (faster this time)scratch head, quit browser process, re-launch browsersee page indicating that goatse will load soon (page header, etc.) immediately close browser.open up browser preferences, click all the tabs, look for the "no goatse" checkboxclear the browser cacheopen browser, see goatse, close browseropen network preferences, click on all the tabs, look for the "no goatse" checkbox.disconnect from network, re-assoc

It's a hacker conference. There is probably no more tolerant place to
release such a piece of code, where your talents will be respected
instead of persecuted. There were also no doubt many members of the
computer security community present who would want to be aware of any
new vulnerabilities immediately. I think it's a great thing it was
tried and released at DefCon first.

Do people still do this? Packet injections of various and sundry sorts are old news.

There's
a worrisome pattern, in the IT security biz, of repetition. Hacks
discovered a few years ago re-appear in new clothes as "new,"
technologies for protecting against them resurface every few years in
the same way. Computing as a whole tends to re-invent things on
something like a 15 year cycle, but security seems to be on a truly
frenetic clock, cycling every 2 years or so (very very approximately;)

Is there some connection between this and that vulnerabilties re-surface in new clothes constantly as well?

This could actually be a fairly annoying tool in the hands of
advertisers. It also has some pretty good uses I can think of.

Three scenarios to point this out.

You're at Joes Internet Cafe, munching on your slightly
overpriced muffin and glad for the free Wi-Fi access since you're out
of town, and don't get to check your email much on the road. You hit
the link to a message you want to read on webmail, when all of a
sudden, an ad comes up. Nothing too bad, but it seems that Joe has
decided that instead of charging people directly for 'net access, he'll
rig up an old desktop with wireless to transmit the ad source for every
100th HTTP request that comes through his system.

This is a potentially annoying way of using the technology, but
it also sounds like it could be a good way for Joe to help recoup his
costs on the internet. Not a place I'd mind going.

Scenario Two

You're at Joes Internet Cafe, munching on your slightly
overpriced bagel, glad for the...well, you know. This time the 'net
access isn't free, but Joe's giving it out for $1 an hour, more than
reasonable. 58 minutes in, you make an HTTP request, and a small
javascript window pops up informing you that you've just got a couple
minutes left, more time can be bought at the counter. After 60 minutes,
instead of locking you out, all your requests simply get a screen
advising you that if you want to keep going, Joe's going to need a
dollar at the counter.

Seems useful to me.

Scenario Three

You're in Joes Internet Cafe, sipping some slightly overpriced
coffee and you try to get online. After you've payed your dollar to the
friendly man at the counter.

You keep gettings ads. You click out, thinking that it's a
popup window, and no, you really don't need to enlarge that, it's fine
how it is.

All browser windows closed. You try again.

No, I don't really need those drugs...

Or those pieces of software

Or...

You get the idea. Turns out, that guy in the corner is making
some quick cash by spamming everyone in the place. The only sites that
are coming through are from those ads. He leaves after about 15
minutes, because it can't be long until someone figures it out, but
you've just lost 15 minutes of your time.

I realize it's an extreme example, but you think someone won't try it?

Joe, if you're out there, we need to talk. I've got some ideas for you.

If you're at Joe's cafe, there's there's no need for Joe
to use AirPwn. He already pwns the net connection you're connecting
through (wirelessly). He can intercept & replace any packet he
wants to anyway.

The point of AirPwn is intercepting wifi traffic on someone else's
network; the uses of which are overwhelmingly malicious than benign, to
my thinking. Exactly like Scenario 3. Or worse, detecting passwords,
requests for secure connections to eBay, banks, etc.

My question to the crowd is, how effective would existing wireless encryption standards be at disabling AirPwn?

You're at Joe's internet cafe, or in an airport, etc. Suddenly, your
internet explorer gets a web page redirect to some random porno movie
of 3 guys raping a rather unattractive asian girl, complete with
audio... in full screen mode. Since your laptop's audio is on, everyone
in the area, including your girlfriend hear, "No don't put it in my
pussy. [scream]"... And you're joe blow who doesn't know how to use the
keyboard to close the window to save your life.

Yes, it could happen, particularly, if the geek in the corner is sniffing your WiFi traffic, and singles you out.

More
serious would be something which noted when you wanted a secure site,
such as a bank, and proxied to a full-screen web page image complete
with security icons that tricked the user into sending you their
password in the clear.

There are malicious 14 year olds with laptops out there that would find this awfully amusing.

Ok, so I got hit by this, when attempting to check slashdot during one
of the talks. First reaction was to hit the Back button as fast as I
could, to get the image off my screen.

Once the shock wore off, I pointed out the issue to my friends
sitting next to me. They spent some time analyzing ethereal output,
while I downloaded and ran arpwatch. It's pretty sad to hear that some
kiddies were checking browser settings....

The article claims there was no arp poisoning going on, but
actually there was. I saw plenty of that. Which kinda confused us,
since there doesn't seem to be much need for that in a wireless
environment. You can sniff w/o arping, and you can inject traffic (as
they were). But yes, it was definitely happening, though apparently by
a different group. (Actually, I detected three different MAC addresses
competing for the AP's IP.)

In hindsight I should have saved some of my packet captures. Might have been fun to look over later.

Wireless was pushed along by a need to get it out. READ COMPANY
PROFITS. I have attended lectures where this is described on and on.
Little to no attention was paid to security. WEP? Yeah good luck. It is
fairly easy to exploit any wireless connection. It just wasnt done
right.But this is the best part. Become the middle man.

I wonder what this will be for people at home browsing the internet on
their wireless computers. There's nothing parents can do to stop their
children from seeing images that are being injected like this with
Frank next door beaming modified HTTP requests through the
neighbourhood. The only way to do that would be a) Disabling *ALL*
images displayed on their web browser b) Running wires through the
house. I'll be this will be another push for WEP and other forms of
wireless encryptions. I wouldn't want my 4 year old nephew opening up
internet explorer to find a Playboy bunny sitting on the top of their
MSN.ca startup page! Anyways... back to sleep...

1.
SSL would effectively block this attack IF the user pays attention to
invalid certs. Your browser contains certain CAs it trusts and, unless
they had control of your PC which is certainly possible but was not
done in this case, the CA they would use would be invalid and generate
that pop-up box telling you so. If you ignore that box and click yes
you do so at your own peril.

2. What about it? Once the data is
on wifi than it is fair game for any type of manipulation. That is why
they have 2 nics. The first nic "hears" your request for content "GET"
and then responded much more quickly than the remote web server can
with the corrupted "POST". When the correct information finally gets to
your PC it is simply ignored as invalid TCP traffic and a RST packet is
generated.

3. WEP would have stopped it in this instant. WEP is
breakable but requires a good amount of data to be sent over the wire.
Since your average user is not going to send GBs of data over HTTP and
the processing power needed to break 100s of connection would be more
than a couple of laptops could handle this attack would have been alot
less fun. Still possible but would need to be much more dedicated. I
run WEP at home, I know it will not stop the determined hacker but the
casual war-drive will ignore me in favor of my many neighbors with open
APs.

4. You are correct AS LONG AS you pay attention to the
cert's trail. SSL really is two seperate pieces in my mind. 1 -
encryption - End - To - End data encryption and 2 - Trust - I know the
data I am receiving comes from the correct website. This is done with
certificates. Since there is no God of the internet and we have to
trust someone initially companies like verisign, etc have working with
Microsoft, Mozilla, etc to get their root certs pre-installed in your
browser. Anybody can generate a certificate but only companies that
have passed the "Idenitifcation Test" with Verisgin or whoever can
issue certs that will have the proper path back to a valid root cert.
Please note Verisign has been duped before and even given out valid MS
certs to non-microsoft organizations.

You may think it is lame
but it is actually a harmless example of things to come. Why is
wardriving so popular? Because 90% of the APs do NOT use WEP. If
everyone used WEP that would stop casual attacks. Consider two fences.
One a 3-ft high fence. This fence is only going to stop people who
don't want to go in. The 2nd fence is 10' high with barbed wire. This
can still be overcome but will require some dedication. That is the
difference between open and WEP. The problem is nobody uses WEP so this
attack will work most of the time with ease.

All I see in this discussion is either people joking, bitching or having no idea how airpwn works.

Let's just set things straight.First of all, there is no arp posioning.Do
you disagree? Well it's a GPL app, go read the source, show me the arp
posion part of the code. What's that you can't find it? Oh, well jesus,
it's because it doesn't do that.

You can hijack any tcp connection with this, it cannot be blocked without blocking the legit traffic.

This is accomplished by using raw frame injection.One
network card listens on a given channel (or in the case of a cisco
card, all channels) and the other card simply injects custom frames
with perfect replies. If your reply (it's up to you how big it is) is
the right size, it's injected so perfectly that the connection not only
still works, all of your webpage stuff still works, images just load as
whatever the attacker wants.

It works with ftp, http, aim or whatever.You can just have a ball.

It
would be entirely possible to write regex that replied over aim or icq
or any of that crap with a raw frame telling the other people in the
conversation that they were coming out, it's up to you.

The
software uses a very customizable framework to allow for use of regular
expressions for matching. It's really useful for things other than
goatse, but at defcon, they deserve the best.

Anyway, the totally clueless people here that claim to know how it works haven't even compiled it, so don't listen to them.

I
just got an Airport Express recently and during the setup process it
gave me the option of using WEP or WPA, which it said was more secure,
so I chose the latter. Why hasn't anyone mentioned WPA in this
discussion? I don't really know anything about it other than it is
supposed to be a more secure alternative to WEP, yet I've never heard
anyone mention it even from the store I bought the Airport Express from.

Also, is there IPSEC for OS X? It's not mentioned anywhere in the Airport Admin Utility. Is it built-in? I Googled [google.com] for it, and some of the first few links mention vulnerabilities in Mac OS X IPSEC. What's this all about?

*while i do admire the desire to prove the inadequacies of wireless...*while i do recognize that this is a hacker's conference...*while i do realize that it's a good thing to do this, to prove that we should use encryption...

it's
just sad. i'm old enough to remember open mail relays, not being
abused, so maybe i'm just tired of the continual need to upgrade,
secure, and encrypt.

wireless is cool, no two words about it.
i'm sitting on my front porch, enjoying the cool air, waving to the
neighbors who are out walking.

i don't use encryption on the
wireless, simply because i'm not worried about somebody sniffing these
unsecured packets (since i use ssh sessions for things that matter.)
and because my old plaster walls don't let it go far.

but the
main reason i didn't use it was because dammit, i am tired of being
suspicious of everybody and everything. use secure channels, sure, but
why should we have to encrypt the transport itself? i don't know why i
thought wireless was going to be different than anything else.

(i'm
also kinda embarrassed that i didn't think of this first. it's TERRIBLY
obvious in hindsight. do also note, i'm not blaming the messengers in
any way- good on you, dudes.)

end-result: time to start
educating people about why it's necessary now to really worry about
encrypting the transport, rather than just the communication. and one
more thing that makes the net a less cool place, because some idiot out
there will use it for bad purposes.

Yes but so is clearing your cache to try to fix a obvious hack. I have
never attended any convention thinking that I would just be a fifth
wheel. Having seen this though I am inclined to believe I would be far
from the worse. I am curious if this would work if you had your browser
pointed to a proxy such as squid? Also couldn't you look at a packet
dump of this to find the mac address the anus in question is coming
from?